<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Last month, we covered how legacy GRC products and new integrated risk management (IRM) solutions can co-exist and in fact compliment each other. That said, in order for them to compliment we have to acknowledge that there is a distinct difference between the modular GRC products and IRM solutions. However, what we saw before, during, and after the RSA Conference is the GRC solutions calling themselves IRM solutions with little or no product changes. IRM technology represents a fundamental change to the approach to the product and is not simply a problem for the marketing team.

As we've said, in enterprise organizations, there is room for both but we believe that customers of these GRC platforms as well as those considering becoming customers, need to know the distinction and how to spot the false premises that GRC is telling the market. In this second post from this series on the lies that GRC is telling you we'll dive into the first lie: good things come but only to those who wait.

Good things come to those who wait: There’s a direct correlation between time to implement and amount of value

Every technology company has had to debate between developing high-value configuration, or allowing for heavy customer-facing customization when building a product. Many in the GRC space opted to have users customize whatever they want with intricate linkages between assets, controls, risks, scoring mechanisms, and business processes. More customization options were added over the years, so much so that even those who bought described implementation as something that you must “know what you’re getting into”.

We’ve read through every Gartner and Forrester report, every review from those using legacy GRC for their security program, and spoke to our partner, Gartner, and other analyst firms about the subject. The consensus is that it takes at least 3 months, if not more, to simply implement the technology after buying it. Most of the time, these jobs are completed by a third party instead of the organization itself or the vendor. The more popular industry leaders average a 6-12 month, and some even 12+ months, implementation time in order to be used by the customer.

When GRC buyers choose a product that is supposed to make their cybersecurity program more efficient and effective, they shouldn't have to wait months to use it. As mentioned before, legacy GRC serves a purpose, but getting immediate time-to-value is not a common thread among these players. In the era of emerging integrated risk management, information security organizations should be able to access and utilize intricate linkages between assets, controls, risks, scoring mechanisms, and business processes without heavy customization-- instead, making as many of these functionalities out-of-the-box as possible, with agile customer-facing configuration, is the means to the fastest time-to-value in the future state of integrated risk management. A longer implementation time does not equate to more value, as the future of GRC (IRM) is leaning towards more rapidly deployed capabilities that bring just as much, if not more.

The Sunk Cost Fallacy Of GRC

Project managers are no strangers to the sunk cost fallacy - the idea that an activity, project, or product is valued at the amount of resources invested even if it is not worth that investment. In the case of risk and compliance solutions, GRC blogs have cultivated the idea that an astronomical price tag and an average implementation time of six months increases the value of the product itself. It doesn't. In a time when artificial intelligence and machine learning powered products configure themselves out of the box (in ways that would push the upper echelons of the GRC implementation time we've seen thus far), the idea of a long time to value is only hurting CISO's and their teams.


This post is part two of CyberSaint's series diving into the false dichotomies, incorrect premises, and potential falsehoods that the GRC market has told cyber professionals.

Read the full report on the Three Lies That GRC Is Telling You here.

You may also like

Zero Trust Security – A Quick Guide
on January 24, 2022

Zero Trust is a security framework that requires authentication, authorization, and validation from all users, whether inside or outside the organization's network. This is ...

CyberStrong December Update
on January 20, 2022

December Product Update Crosswalks, graphics, and filters - Oh my! 🎵♪🎵 New crosswalks on frameworks and labels on graphics Helpful team filters and alerts on late status Clear ...

Kyndall Elliott
CEO's - Do You Know Where That ...
on January 3, 2022

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. Headlines are dominated by breaches and hearings of information ...

Jerry Layden
CyberSaint's Response to the Log4j ...
on December 23, 2021

Members of the CyberSaint Community, My name is Padraic O’Reilly, the Chief Product Officer of CyberSaint. In light of the impacts of the Log4j vulnerability on the greater ...

Padraic O'Reilly
The CEO's Guide To Understanding ...
on December 17, 2021

With high-profile data breaches and cyber incidents capturing headlines almost weekly, business leaders are getting a front-row seat to the impact cybersecurity can have on an ...

Jerry Layden
The Guide To A CEOs First ...
on December 16, 2021

One of the most significant challenges that CEOs and business-side leaders are faced with when tasked with implementing a cybersecurity program is the board-level reporting that ...

Jerry Layden